27 March

Group-IB: After Arrest of its leader, Cobalt group continues to strike

Group-IB, the leading provider of intelligence-driven cyber-security, has reported that in spite of the arrests of the Cobalt gang leader and malware writer Cobalt has continued to strike.

The arrest of the Cobalt gang leader in Alicante (Spain) has not yet led to the conclusion of attacks against financial institutions from this targeted attack group. On the morning of March 26 (approximately 11:00 MSK time), Group-IB’s Computer Emergency Response Team identified spear phishing emails which were sent by Cobalt acting as SpamHaus, a well-known non-profit organization that fights against spam and phishing. The letter sent to targets from j.stivens@spamhuas.com (the real domain of «Spamhaus» is spamhaus.org), claimed that the IP addresses of the target company were blocked due to suspicions of sending spam. In order to «solve» the problem, the authors of the letter invited the victim to follow the link: leading to the download of a Microsoft Office document which was in fact malware. After analysing the structure of the attack, specialists from the malware analysis department confirmed that Cobalt is behind the campaign.

Cobalt is one of the most active criminal groups, responsible for targeted attacks on banks. According to Europol, the group has stolen approximately one billion euros from 100 banks in 40 countries. On March 26, Europol reported a large-scale operation was conducted by the Spanish National Police with the support of Europol, the FBI, and law enforcement agencies of Romania, Taiwan and the Republic of Belarus. As a result, the leader of Cobalt was detained in Spain, and the author of Cobalt malware was arrested by Ukrainian authorities in the Ukraine.

We do not rule out the theory that the remaining members will continue to conduct operations for a period of time with the goal of showing that the individuals arrested were not associated with the group. Given the arrest of the Cobalt Group’s leader, such campaigns will soon subside and the most likely scenario is that remaining Cobalt members will join existing groups or a fresh „redistribution“ will result in a new cybercriminal organization attacking banks across the world. In any event, this Group was a worthy adversary in terms of tools and tactics that was brought to justice.

Dmitry Volkov

Group-IB’s CTO, Head of Threat Intelligence Department

Since 2016, Cobalt has successfully attacked banks in Russia, the United Kingdom, the Netherlands, Spain, Romania, Belarus, Poland, Estonia, Bulgaria, Georgia, Moldova, Kyrgyzstan, Armenia, Taiwan, Malaysia and other countries. Group-IB forensic specialists were amongst the first to investigate Cobalt’s attacks on Russian and foreign banks and in November 2016 issued a public report on the activities of the group.

For a considerable time, Cobalt’s «secret of success» consisted in the fact that the hackers of the group constantly tested new tools and schemes, often changing the location of attacks and familiarizing themselves with how the bank worked. After gaining access to computers on a target bank, Cobalt often spent two to four weeks to study the internal infrastructure of the organization, observes the working process, and only then conducting their attack.

It is also worth noting that the group did not only target banks, but also software development, media and insurance companies. The group would gain access to these third parties and subsequently conduct attacks on banks increasing their probability of success.

It is great to see such cooperation from international law enforcement and the private industry to bring such a group to justice. Group-IB will be ready and monitoring for signs of future activities from targeted attack groups impacting the banking sector.